Reassurance About the Proposed HIPAA Security Rule Changes: What Mental Health Practitioners Need to Know

The recent proposed changes to the HIPAA Security Rule have generated a wave of concern among mental health practitioners. With discussions circulating about new requirements, timelines, and potential impacts on small practices, it’s no surprise that many feel anxious about what these changes could mean. However, a closer look at the process, historical precedents, and the practical implications of these proposals reveals that there’s little need for immediate panic. Here’s why:

An image that reads: a client's records are mote than just clinical notes

Understanding the Timeline of Proposed Changes

At the end of December 2024, the Department of Health and Human Services (HHS) published extensive proposed updates to the HIPAA Security Rule in the Federal Register. This kicked off a formal comment period, which closed on March 7, 2025. While the comment period’s closure may suggest an imminent implementation, historical trends and the regulatory process tell a different story.

Consider the proposed changes to the HIPAA Privacy Rule, published in December 2020. Despite an extended comment period that closed in May 2021, those changes have yet to be finalized or implemented. There is no clear timeline for when—if ever—they will take effect. Given this precedent, we can reasonably expect that the current Security Rule proposals will follow a similarly protracted timeline.

Even if finalized, new rules take at least eight months to go into effect: 60 days after the Final Rule publication the rule goes into effect; followed by a mandatory compliance transition period of 180 days, meaning that lack of compliance with the new requirements during that timeframe will not be penalized in order to give regulated entities time to become compliant with the new requirements. What this means is that immediate upheaval for practices is not only unlikely, it is not within the realm of possibility.

Key Concerns and Clarifications

The Rationale Behind the Proposed Changes: Why Now? The Last Update and the Evolving Landscape

The HIPAA Security Rule was last updated in 2013—more than a decade ago. Since then, the technology and practice landscape in healthcare, particularly in mental health, has transformed dramatically. Cloud-based systems have become the norm, telehealth has surged, and the risks associated with cyber threats have increased exponentially.

Yet, despite these seismic shifts, many regulated entities have not meaningfully applied or complied with the existing Security Rule requirements. The lack of specificity in prior regulations has left room for misinterpretation, leading to inconsistent security measures that have put client information at risk. The proposed changes aim to close these gaps by offering clearer guidance and stronger requirements to ensure client data is truly safeguarded.

It’s important to recognize that these proposed updates to the HIPAA Security Rule are not arbitrary. They reflect the evolving threat landscape in healthcare, particularly the increasing number of data breaches, ransomware attacks, and cybersecurity incidents that have directly impacted client care. The reality is that many regulated entities have either failed to fully implement or misunderstood the existing Security Rule requirements, leaving significant security gaps that put client information—and in some cases, client safety—at risk.

The proposed changes aim to provide greater clarity, specificity, and enforceable guidelines to ensure that security measures are actually implemented, rather than existing only in written policies. By strengthening these requirements, the goal is to better protect client information, reinforce ethical responsibilities, and prevent harmful data breaches that could disrupt care and erode client trust.

From a client care perspective, these security measures are not just regulatory hoops to jump through—they are essential safeguards to uphold clients’ rights to privacy and data security. HIPAA compliance, when done right, aligns with core ethical principles in mental health care, emphasizing the responsibility providers have in ensuring their clients’ sensitive information is protected. The proposed rule changes, while extensive, are grounded in the reality that security lapses have real consequences for client well-being.

While some of the proposed changes are extensive, many align with current best practices and ethical responsibilities already followed by security-conscious mental health professionals. Key areas of concern include:

1. The Proposed Requirement for Penetration Testing

One of the most debated provisions is the requirement for penetration testing. This has raised concerns among solo and small group practitioners who fear it might be overly burdensome. The wording in the proposal lacks clarity, and there is strong advocacy, including from the American Psychological Association (APA), to exempt smaller practices from this requirement or provide alternative compliance methods.

However, it’s important to remember that cloud-reliant practices already rely on third-party vendors (such as electronic health records (EHR) providers and secure email platforms) that conduct their own penetration testing. For most mental health practices, compliance with this potential requirement would likely focus on endpoint security—ensuring devices and networks are secured rather than conducting sophisticated in-house testing.

2. Increased Specificity for Security Requirements

The proposed rule includes greater specificity in some areas, such as requiring annual risk analyses and security training—both of which are already considered best practices and are recommended by Person Centered Tech. If these changes go into effect, compliance for practitioners following the PCT Way would require only minor policy updates, rather than a major overhaul of security procedures.

Regulatory and Political Considerations

The likelihood of these changes being finalized and enforced anytime soon is further complicated by the current regulatory climate. The present administration has prioritized deregulation, making it uncertain whether these proposals will gain traction. If the proposed changes do move forward, we can expect years of revisions, clarifications, and additional stakeholder input before enforcement becomes a reality.

Practical Steps for Mental Health Practices

Rather than worrying about hypothetical changes, practitioners should focus on what they can control today—maintaining robust security measures and compliance with current HIPAA Security Rule standards. Here’s how:

  • Conduct Annual Risk Analyses: Understanding security vulnerabilities and how client information — Protected Health Information (PHI) — flows through your practice is essential in order to protect client information. Without this, it is not practically possible to implement reasonable and appropriate safeguards to protect client information. Again, think of a HIPAA Security Risk Analysis & Risk Mitigation Plan as a Needs Assessment & Treatment Plan for your practice.

  • Adopt and Implement Operationalized Security Policies & Procedures: Having documented security policies and procedures is not enough—they must be actively implemented and followed in daily operations. Ensure that all workforce members understand and apply these measures consistently. 

  • Ensure Device Security: Implement Safe Harbor provisions, including full-device encryption, strong passwords, and automatic device lockout. In the modern practice context in which the majority of PHI is contained within cloud-based systems, lack of device security is one of the largest surface areas of risk exposure; a compromised device can compromise the security and confidentiality of information within cloud-based systems.

  • Utilize Secure Systems: Rely on HIPAA-compliant cloud-based services with Business Associate Agreements (BAAs).

  • Stay Informed but Avoid Panic: Monitor updates from trusted sources like PCT and professional organizations, but recognize that regulatory changes are a slow-moving process. Place your primary focus on what needs to be done in-practice to actually safeguard client information.

Final Thoughts: A Mindset Shift Toward Security as Client Care

While regulatory changes can feel daunting, it’s crucial to reframe compliance as an extension of ethical client care. Implementing security measures isn’t just about avoiding penalties—it’s about safeguarding sensitive client information and maintaining trust.

For those already following PCT’s guidance, there’s little cause for alarm. Any eventual regulatory changes will build on existing best practices, rather than introduce unmanageable burdens. So, take a deep breath—there’s time to adapt, and Person Centered Tech is here to guide you through it.

 

See our comprehensive HIPAA programs for group practices and solo practitioners:

Group Practices
Solo Practitioner
v2.2.21-beta

Continuing Education National Approvals

Person Centered Tech Incorporated has been approved by NBCC as an Approved Continuing Education Provider, ACEP No. 6582. Programs that do not qualify for NBCC credit are clearly identified. Person Centered Tech Incorporated is solely responsible for all aspects of the programs.

Person Centered Tech Incorporated is approved by the American Psychological Association to sponsor continuing education for psychologists. Person Centered Tech Incorporated maintains responsibility for this program and its content.

Continuing Education State Approvals

  • Person Centered Tech is an approved provider continuing education provider with the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health Counseling. CE Broker Provider #50-23706.
  • Ohio Counselor, Social Worker, and Marriage and Family Therapist Board accepts continuing education credits from providers approved by the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health.
  • Person-Centered Tech Incorporated is recognized by the New York State Education Department's State Board for Social Work as an approved provider of continuing education for licensed social workers #SW-0540 and the State Board for Mental Health Practitioners as an approved provider of continuing education for licensed marriage and family therapists #MFT-0092, licensed mental health counselors #MHC-0210 and licensed psychoanalysts #P-0050 and the State Board for Psychology as an approved provider of continuing education for licensed psychologists #PSY-0068.

Policies and Terms

Training Resources

About Us

Email: [email protected]

Customer Service Hours: M-F 9AM-3PM PST

Address:
Person Centered Tech Incorporated
PO Box 42494
Portland, OR 97242

Where's our phone number?

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss